Valid until: 2025-04-12
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Fixed broken links under Administrations. |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the supplier relationships policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To ensure protection of the organisation’s assets that are accessible by suppliers (A.15.1).
To maintain an agreed level of information security and service delivery in line with supplier agreements. (A.15.2).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
anDREa has established a list (Types of suppliers). Per category, minimum requirements are posed;
anDREa maintains a list of suppliers and has identified critical suppliers for processes within anDREa;
anDREa maintains a directory for suppliers which include (but is not limited to) supplier agreements, data processing agreements, NDAs and relevant certificates/reports;
The suppliers list and directory for suppliers are kept up-to-date through scheduled monthly meetings between the Security Officer and Business Manager. Updates are tracked in a ticket;
The type of information that the supplier/application has access to is classified as sensitive or non-sensitive;
Access to anDREa’s assets is registered per individual in anDREa People in accordance with A.8 Asset management and A.9 Access control;
Suppliers are periodically reviewed and the outcome is tracked in a ticket. There will be a ticket per supplier;
Critical suppliers (exceptions under A.15.2.1) are at least annually reviewed and the outcome is tracked in a ticket. There will be a ticket per supplier;
Suppliers are reviewed based on the presence and content of the general information security requirements as defined in Types of suppliers and, if applicable, supplier-specific (additional) requirements;
If applicable (such as for the hiring of external employees), anDREa will provide an information security awareness training;
Suppliers are obliged to report (suspected) information security incidents when working in anDREa systems in accordance with A.16 Information security incident management.
The following terms are considered for inclusion in the agreements in order to satisfy the identified information security requirements, depending on the supplier:
A description of the information to be provided or accessed and methods of providing or accessing the information.
The classification of information in accordance with A.8.2 Information classification.
The legal and regulatory requirements, including data protection, intellectual property rights and copyright, confidentiality and a description of how it will be ensured that they are met;
The information security policies relevant to the specific contract, such as access control, incident management procedures and other relevant procedures.
Notification in case of an information security incident or significant changes in information security policies.
Either an explicit list of supplier personnel authorized to access or receive the organization’s information or procedures or conditions for authorization and removal of the authorization
Contact person information for information security related questions and procedures;
The relevant regulations for sub-contracting, including the controls that need to be implemented;
The right to audit the supplier processes and controls related to the agreement.
Termination of supplier agreement
There may be various reasons for terminating an agreement with a supplier or major revisions in the agreement itself might be needed. Terms and requirements for termination of a supplier agreement are described in the supplier agreement itself.
The following topics must be taken into consideration:
In case of a critical supplier, a security impact assessment might be necessary.
Offboarding of a supplier:
If applicable, removing access rights.
Ensure that the information that was provided to the supplier has been deleted. For this, confirmation of deletion must be provided by the supplier.
Informing employees/partners/customers that the supplier relationship has ended.
All of the above are registered in a ticket by the Security Officer.
Exceptions
There are two exception cases where it might be difficult to follow the above guidelines:
anDREa has agreements that have already been concluded before this policy came into effect, therefore it might be difficult to impose additional requirements.
Enter in a conversation with the supplier.
If the supplier is not willing to cooperate, a risk assessment will be performed and it can be decided to switch to a different supplier.
anDREa has an agreement with a large supplier (often suppliers of applications that are used worldwide, such as Microsoft). These suppliers use standard agreements that they do not deviate from.
Review the standard agreements and determine if any requirements are missing.
Perform a security impact assessment, based on the results it can be decided to switch to a different supplier.
anDREa recognizes its size compared to some of the very large providers that it will sometimes be working with (e.g. data centers & hosting services, banks etc), therefore potentially limiting its ability to influence practices further into the supply chain.
Monitoring and review of supplier services ensure that the information security terms and conditions of the agreements are being adhered to and that information security incidents and problems are managed properly (in accordance with A.16 Information security incident management).
anDREa will:
Monitor service performance levels to verify adherence to the agreements (example: Microsoft Azure service level agreement);
Review critical suppliers or when significant changes occur.
Small or unknown parties in the ecosystem: annually
Large or known companies: every 3 year.
Stay up-to-date on information security incidents regarding the supplier. anDREa will require the supplier to promptly notify regarding information security incidents.
If applicable, conduct audits of suppliers, in conjunction with the review of independent auditor’s reports, if available, and follow-up on issues identified.
Resolve and manage any identified problems.
Require suppliers to have a conflict resolution process that can be invoked if requirements are not met.
The following aspects are being taken into consideration:
Changes to supplier agreements;
Changes in supplier services to implement:
Changes and enhancement to networks;
Use of new technologies;
Adoption of new products or newer versions/releases;
New development tools and environments;
Changes to the physical location of service facilities;
Change of suppliers;
Sub-contracting to another supplier.
Changes made by the organization to implement:
Enhancements to the current services offered;
Development of any new applications and systems;
Modifications or updates of the organization’s policies and procedures;
New or changed controls to resolve information security incidents and to improve security.
All of the above will be registered in tickets.
Types of suppliers (authorised personnel only)
anDREa supplier list (authorised personnel only)
Directory with supplier agreements (authorised personnel only)
Ticket for keeping the supplier list and directory up to date (authorised personnel only)
If needed, risk assessment reports (authorised personnel only)